Purpose: To provide specific guidelines for the implementation of security patches based on the severity of the vulnerability.
Patches should be implemented according to the following timeframes:
CVSS Score |
Priority |
Timeframe |
7 ≥ or ≤ 10 |
1 |
2 Weeks |
5 ≥ and < 7 |
2 |
4 Weeks |
3 ≥ and < 5 |
3 |
3 Months |
0 > and < 3 |
4 |
Discretionary |
These priorities are based on the NVD Common Vulnerability Scoring System (CVSS). Individuals can subscribe to the NVD Weekly Summary RSS feed here.
Exceptions: Patch implementation processes should take into consideration the need for testing and the potential impact to the operations of the University. If a system is unable to be patched according to these timeframes, a standard exception should be requested.